A problem is just a solution waiting to be found

Create a Custom Entra ID Role to View LAPS Passwords in Microsoft Intune

Posted on by Remy Kuster

We’re planning to roll out Windows Local Administrator Password Solution (LAPS), and a key requirement is that our helpdesk staff and workplace admins can access the LAPS password. This post shows how to view LAPS passwords in Intune without granting to much permissions. I will explain how to create a custom Microsoft Entra ID role that allows controlled visibility of LAPS passwords, and how to integrate this role seamlessly with existing Privileged Identity Management (PIM) group.

The Default Limitation

By default, Microsoft Intune limits access to LAPS passwords. Only those with the Global Administrator or Intune Administrator role can retrieve local admin passwords. However, you don’t want to grant these high-level roles to your helpdesk team or workplace admins, you’ll need a way to follow the principle of least privilege. You can achieve this by creating a custom Entra ID role and assign this role to the employees.

Insufficient LAPS Permissions

In the current situation, the workplace admin already has an Intune role assigned that can be activated through a PIM group called: Workplace Admins Intune Role.

When active, the admin can sign in to the Intune portal and view device information, but when attempting to view the LAPS password for a device, a notification appears:

There’s no permission you can add to a custom Intune role to view LAPS passwords in the Intune Portal Tenant administration -> Roles. This needs to be done by creating a custom Entra ID role and then assign it to the admin.

Since we already have an Intune PIM group, we can assign this custom role to the existing group so the admin only needs to activate the existing role to enable both the Intune permissions and the additional view LAPS password permissions.

Creating the Custom Entra ID Role

To create a custom Entra ID role, your account needs to have either the Privileged Role Administrator or Global Administrator role assigned.

Open Microsoft Entra admin center and navigate to Roles and administrators and select New custom role.

Enter a descriptive name: LAPS Password View and a description: Permissions to view LAPS password intune portal and select Next.

Add the required permission which is: microsoft.directory/deviceLocalCredentials/password/read (Read all properties of the backed up local administrator account credentials for Microsoft Entra joined devices, including the password). Select Next.

Select: Create

Now the custom role: LAPS Password View is created.

Note:
To view the LAPS password in the Intune portal, the admin must also have the Intune Rol permission:
Managed Device -> Read assigned.
Without this permission, the admin will not be able to see devices in the Intune portal.

If the option Local Admin Password in the Intune portal is grayed out:

You also need to assign the intune rol permission:

Rotate Local Admin Password located in the Remote tasks permissions.

Assigning the Role via Existing PIM Group

Now the custom role is created we only have to assign it to the existing PIM group mentioned in the beginning of the blog.

In Microsoft Entra admin center -> Roles and administrators, open the custom role (LAPS Password View).

Select Add assignments.

Select No members selected -> select the PIM group (already assigned to the workplace admin): Workplace Admins Intune Role and click Select.

Leave Scope type on: Directory and select Next.

Set Assignment type on: Active (do not use Eligible to avoid a second activation). Enter justification for the Active Assignment type.
If you don’t want Permanently assinged, uncheck it and set a start and end date. I wil leave it on Permenantly assigned. Select Assign.

Sufficient LAPS Permissions

Lets see what happens when the Workplace admin activates the existing Intune PIM group role: Workplace Admins Intune Role.

Before PIM group activation:

  • The custom Microsoft Entra role is not active.
  • So LAPS passwords are not accessible.

Activating the PIM group: Workplace Admins Intune Role.

After PIM group activation:

  • The custom LAPS Password View role becomes active automatically
  • You can check LAPS credentials through the Intune portal.

The Workplace Admin can now view the LAPS password and LAPS accountname from Intune managed devices in the Intune portal.

Conclusion

By creating a custom Entra ID role with minimal LAPS read permissions and assigning it to an existing PIM group, you achieve:

  • Least‑privilege access to LAPS passwords
  • No additional admin or activation overhead
  • A clean, scalable model aligned with security best practices

More information about LAPS and PIM for groups:

Windows LAPS overview | Microsoft Learn

Privileged Identity Management (PIM) for Groups – Microsoft Entra ID Governance | Microsoft Learn



Theme: Overlay by Kaira